Skip to main content

WPZOOM Portfolio EUVDEUVD-2026-36010

| CVE-2026-49069 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 Patchstack GHSA-pvvf-jf93-577x
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 14:05 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM Portfolio allows Reflected XSS.

This issue affects WPZOOM Portfolio: from n/a through 1.4.21.

AnalysisAI

Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (versions up to and including 1.4.21) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. Because the CVSS scope is Changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically enabling session hijacking or actions against the WordPress admin context. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Technical ContextAI

The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw in the WPZOOM Portfolio plugin, a WordPress add-on (CPE cpe:2.3:a:wpzoom:wpzoom_portfolio) used to display portfolio content. The plugin reflects user-controlled input back into a rendered page without proper output encoding or sanitization, allowing attacker-supplied HTML/JavaScript to execute in the context of the WordPress site. As a reflected XSS, the malicious payload is delivered via a crafted URL or form parameter rather than being persisted server-side, and execution depends on the victim's browser rendering the response.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the supplied data - WordPress administrators should update the WPZOOM Portfolio plugin to the latest available release (any version newer than 1.4.21) via the WordPress plugin dashboard and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpzoom-portfolio/vulnerability/wordpress-wpzoom-portfolio-plugin-1-4-21-cross-site-scripting-xss-vulnerability for exact fix version details. If immediate patching is not possible, compensating controls include deactivating the WPZOOM Portfolio plugin (which removes any portfolio pages from the front end), deploying a WAF rule or Patchstack vPatch to filter reflected XSS payloads targeting the plugin's vulnerable parameters (may produce false positives on legitimate query strings), or enforcing a strict Content Security Policy that disallows inline script execution (can break themes/plugins that rely on inline JavaScript). Administrators should also remind privileged users not to click untrusted links while logged into wp-admin.

Share

EUVD-2026-36010 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy